eJabberd “Cannot read schema”

Trying to start ejabberd I got errors such as these:

2017-09-01 00:35:06.928 [error] <0.37.0> CRASH REPORT Process <0.37.0> with 0 neighbours exited with reason: {aborted,{“Cannot read schema”,”/var/lib/ejabberd/schema.DAT”,{error,{file_error,”/var/lib/ejabberd/schema.DAT”,eacces}}}} in application_master:init/4 line 133

Turns out I made a very simple mistake; I had attempted to start eJabebrd with “systemctl start ejabberd”. However, ejabberd brings its own control application. The correct way to start it is “ejabberctl start”.

Easy-RSA Jabber SSL Certificate Problems

I’m currently setting up a new server and ran into something odd. Connecting to ejabberd with Pidgin, the later would reject the SSL certificate outright. At first I thought I had messed up the hostnames, or used an outdated Hash algorithm or whatever.

The errors I saw in the debug window were:

(22:17:42) nss: ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
(22:17:42) nss: ERROR -8101: SEC_ERROR_INADEQUATE_CERT_TYPE

It turns out that SSL certificates can be flagged for what they can be used for, and I had simply created the certificate with the ./build-key command. Using ./build-key-server instead fixes the issue. The difference is that this will set nsCertType=server in the certificate.

I hope this helps anybody who runs into the same issue – it certainly had me pulling out my hair for a while.

Moving eJabberd

If you need to migrate ejabberd, you need to be aware that -at least on Debian/Ubuntu- it uses your machine name as the default nodename, or to be more precise, ejabberd@hostname. This can be controlled in /etc/default/ejabberd but unless you already knew about it, it’s a done deal already.

So, my naive approach of just copying files did not work. However you can use the method to migrate ejabberd data files documented in the -gasp!- manual.

You also need to be aware of the fact that your jabber domain – in my case jabber.pandemonium.de – is stored as part of the user names in your roster file, so testing it with a parallel host/domain won’t do you much good. You’d have to at least simulate it with /etc/hosts entries on both client and server.